Cybersecurity: Threat or opportunity?

Recent high-profile data breaches in offshore jurisdictions have highlighted the need for companies to take cyber security seriously.

In its first annual report (October 2017), the U.K.’s GCHQ National Cyber Security Centre revealed that more than 1,000 incidents had taken place since its inception — over half of which were classed as ‘significant.’ Some of the more high-profile breaches have included the ransomware attacks that affected the NHS, and of course the recently disclosed Uber hack.

Furthermore, the ongoing speculation around possible Russian intervention in the U.S. elections and Brexit referendum has highlighted that almost anyone, from large corporations and public sector bodies to private individuals, can be a target.

Clearly the extent of the cyber security threat has not been restricted to the United Kingdom and the U.S. Recent high-profile data breaches, including the Panama and ‘Paradise’ papers, have also embroiled a number of companies, offshore jurisdictions and prominent individuals.

Cyber threat

In the Cayman Islands, the Information & Communications Technology Authority has warned businesses about the danger of cyber attacks, including phishing emails which purport to be from the regulator itself.

These emails claim to inform the recipient about security and ask them to click on a link — which is in fact merely a tool to allow the attacks to steal user details, and typically money or sensitive data.

The threat to businesses in the Caribbean region is an extension of the global battle against cybercrime. In May 2017, an attack by the WannaCry malware impacted businesses in the Cayman Islands and 150 other jurisdictions worldwide.

The malware encrypts files on infected computers and demands money from users to unlock their files. Such attacks are often spread by malicious attachments or links sent to unsuspecting victims, with attackers adopting a range of disguises: from authority figures promising financial gain to legitimate human resources staff inside a business.

Unfortunately the inherent dynamic is that there is more to be gained financially from cynical data theft than in relying on the very few methods of tracing (let alone catching) cyber criminals.

It therefore seems only logical that companies will need to keep cyber security at the top of mind — not least for those firms that harbor a large amount of highly confidential information about individuals who value that privacy more than most.

Complicating matters, in some jurisdictions paying a ransom to retrieve data encrypted by cyber attackers can be illegal as it can be viewed as complicity in the crime.

Cyber risks can no longer be considered peripheral irritations for an IT department to sort out. A business’s approach to cyber risk may have a critical impact on the value and going concern of the firm. In particular, cyber security is acutely important to those businesses who manage individuals’ privacy, such as the fiduciary sector.

A risk to corporate valuations?

The risk posed by cyber security to M&A deals is increasingly visible in public markets: $400 million was knocked off the value of Yahoo in the course of its summer 2017 acquisition by Verizon due to two historical data breaches which left an estimated 500 million user accounts compromised.

More recently, a 2016 breach at Uber has hit the press with an as yet unknown effect on the company’s listing aspirations or valuation. However, Japan’s Softbank has reportedly offered to buy Uber shares from existing shareholders at a 30 percent discount to the ride-hailing group’s previous fundraising (although this may perhaps be an unrelated coincidence).

Recent data breaches at other notable public companies have included consumer goods company Reckitt Benckiser, U.S. consumer credit reporting agency Equifax and Morrisons, the U.K. supermarket chain. In the latter case, 100,000 staff payroll details were stolen, including addresses, names, bank details and phone numbers. The incident triggered a 10 percent drop in the company’s share price.

According to a 2016 report by MergerMarket for West Monroe Partners, 23 percent of senior M&A executives at corporates and private equity firms reported that they had walked away from a deal due to data security issues at the target.

Turning adversity into opportunity

The rise of cybercrime, and the concurrent increase in the importance of companies and services that counter it, have created an interesting subsector: publically investable crime fighting technology companies. A number of listed cyber security firms have benefitted from these high profile cyber attacks.

The CIBR First Trust NASDAQ Cybersecurity ETF (see graph) aims to track the large cap cyber security universe and its compelling performance since the end of 2015 to Dec. 7 (+24.5 percent) has reflected the increased importance of the sector. However, one must keep in mind that past performance is not a guide to future performance.

Increasingly, this is an area that is not only an investment opportunity in itself, but also an important part of the investment due diligence, ensuring that companies are taking this cyber protection seriously. It is also a significant tail risk to bear in mind for data-critical businesses where a data breach could be catastrophic. Conversely those data-rich companies who are best equipped with a strong track record of cyber data protection may well turn their attentiveness in this area as a core part of their proposition and business model. See figure 1

Conclusion

Given this background, it should be expected that the potential impact of cyber security breaches will progressively come under the spotlight and that the perceived cyber risk will increasingly be priced into both public and private corporate transactions.

In the dynamic fiduciary world which has experienced a spate of corporate activity over the last few years, the merging of systems and confidential information will need to be managed even more judiciously. Debatably, the background of greater regulatory burden and higher cyber security costs affecting smaller fiduciary companies may well lead to this trend continuing with the best prepared most likely to flourish.

Furthermore, from an investment perspective, the companies selling cyber security services are likely to become an increasingly important part of our clients’ investment universe.

Smith Williamson

Since our foundation over a century ago, Smith & Williamson has
been managing the financial affairs of private clients and their
business interests. We are one of the top ten largest firms of
accountants* in the UK and our investment management business has over
£12 billion of funds under management and advice (as at 30 June 2012).

Our prime aim is to help our clients achieve their financial
ambitions, both corporate and personal. Our clients are varied - private
individuals, mid-large businesses, professional practices and
non-profit organisations.

Our business spans 11 principal offices in the UK and Ireland, with
locations in the City of London, Belfast, Bristol, Birmingham, Dublin,
Glasgow, Guildford, Manchester, Salisbury, Southampton and Worcester,
and an international capability in over 100 countries through membership
of Nexia International (the 7th largest international accounting and
consulting network) and M&A International.

In an award-winning business as diverse as ours, professionalism and
teamwork are key. We recognise that clients and intermediaries take
comfort from knowing that they can easily reach senior people and
decision-makers in our organisation who are able to understand their
needs and objectives.

Our business thrives on its people - a pool of highly talented and
enthusiastic individuals who deliver a broad and innovative range of
services, but without compromising on delivering a genuinely
partner/director-led service. Technical excellence underpins how we
deliver our services and our teams are dedicated to offering practical
financial solutions.

People may ask what sets us apart from our competitors; put simply,
it's our people - ambitious, talented and enthusiastic professionals who
enjoy what they do and relish the opportunity to work together and with
our clients.